Re: [PHP-DEV] Segmentation fault in html_entity_decode

Moriyoshi Koizumi Wed, 12 Jan 2005 00:30:30 -0800


On 2005/01/12, at 16:31, Kamesh Jayachandran wrote:

Hi Moriyoshi,
Still ent_uni_8592_9002's actual size is 410 but accessed with a index
410.


Huh? I'm confident about it :) It's certainly 411.

#include <stdio.h>


static char *ent_uni_8592_9002[] = {
        /* 8592 (0x2190) */
        "larr", "uarr", "rarr", "darr", "harr", NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8608 (0x21a0) */
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8624 (0x21b0) */
        NULL, NULL, NULL, NULL, "crarr", NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8640 (0x21c0) */
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8656 (0x21d0) */
        "lArr", "uArr", "rArr", "dArr", "hArr", "vArr", NULL, NULL,
        NULL, NULL, "lAarr", "rAarr", NULL, "rarrw", NULL, NULL,
        /* 8672 (0x21e0) */
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8704 (0x2200) */
        "forall", "comp", "part", "exist", "nexist", "empty", NULL, "nabla",
        "isin", "notin", "epsis", NULL, "ni", "bepsi", NULL, "prod",
        /* 8720 (0x2210) */
        "coprod", "sum", "minus", "mnplus", "plusdo", NULL, "setmn", NULL,
        "compfn", NULL, "radic", NULL, NULL, "prop", "infin", "ang90",
        /* 8736 (0x2220) */
        "ang", "angmsd", "angsph", "mid", "nmid", "par", "npar", "and",
        "or", "cap", "cup", "int", NULL, NULL, "conint", NULL,
        /* 8752 (0x2230) */
        NULL, NULL, NULL, NULL, "there4", "becaus", NULL, NULL,
        NULL, NULL, NULL, NULL, "sim", "bsim", NULL, NULL,
        /* 8768 (0x2240) */
        "wreath", "nsim", NULL, "sime", "nsime", "cong", NULL, "ncong",
        "ap", "nap", "ape", NULL, "bcong", "asymp", "bump", "bumpe",
        /* 8784 (0x2250) */
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8800 (0x2260) */
        "ne", "equiv", NULL, NULL, "le", "ge", "lE", "gE",
        "lnE", "gnE", "Lt", "Gt", "twixt", NULL, "nlt", "ngt",
        /* 8816 (0x2270) */
        "nles", "nges", "lsim", "gsim", NULL, NULL, "lg", "gl",
        NULL, NULL, "pr", "sc", "cupre", "sscue", "prsim", "scsim",
        /* 8832 (0x2280) */
        "npr", "nsc", "sub", "sup", "nsub", "nsup", "sube", "supe",
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8848 (0x2290) */
        NULL, NULL, NULL, NULL, NULL, "oplus", NULL, "otimes",
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8864 (0x22a0) */
        NULL, NULL, NULL, NULL, NULL, "perp", NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8880 (0x22b0) */
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8896 (0x22c0) */
        NULL, NULL, NULL, NULL, NULL, "sdot", NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8912 (0x22d0) */
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8928 (0x22e0) */
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8944 (0x22f0) */
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8960 (0x2300) */
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        "lceil", "rceil", "lfloor", "rfloor", NULL, NULL, NULL, NULL,
        /* 8976 (0x2310) */
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        /* 8992 (0x2320) */
        NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
        NULL, "lang", "rang"
};

main() { printf("%d %d\n", sizeof(ent_uni_8592_9002) / 
sizeof(ent_uni_8592_9002[0]), 9002 - 8592 + 1); }

Moriyoshi

With regards
Kamesh Jayachandran
On Wed, 12 Jan 2005 05:51:01 +0900, "Moriyoshi Koizumi"
<[EMAIL PROTECTED]> said:
Now fixed in CVS. Thanks for the good report.
Moriyoshi
On 2005/01/10, at 22:30, Kamesh Jayachandran wrote:
Hi All, The following script causes a segmentation fault in NetWare but not on Windows or Linux versions of php-5.0.3 <?php html_entity_decode('&ensp;', ENT_QUOTES, 'UTF-8'); ?>

I can not attribute to NetWare instead I could see the defect in our ext/standard/html.c The cause seems to be the following arrays are accessed with a index that is beyond their size 1)ent_uni_spacing(Actual size is 22 but accessed with a index 22) 2)ent_uni_8592_9002(Actual size is 410 but accessed with a index 410. From the name it seems that 9002 is a valid index so we need to add one more NULL at the end) Either we should add one more entry to the ent_uni_spacing array or reduce our endchar in entity_map You can see the index with which this arrays are accessed by putting a printf("k - entity_map[j].basechar = %d\n", k - entity_map[j].basechar); in a for loop which is around line 898 in html.c version 1.97.2.1.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Segmentation fault in html_entity_decode

Reply via email to